It’s quite likely you will have heard by now about the Openssl “Heartbleed” bug, which was made public two days ago, and caught the worlds attention yesterday. If you haven’t heard yet, just type Openssl Heartbleed into your favourite search engine. It is probably the vulnerability that is inflicting the worst damage we’ve ever seen across the world right now. If you haven’t checked if your VPS is vulnerable yet, you really must treat this with urgency if you want to minimise any damage. The vulnerability allows anyone to easily retrieve random portions of memory from services running on your VPS that rely on Openssl to encrypt sensitive data. That memory may contain sensitive data such as session cookies, usernames, passwords, or possibly even private keys.
The purpose of this post is to let you know what action we took yesterday, Tuesday 9th April, to secure our own infrastructure. That is, our own servers and web services. This information does NOT apply to customers’ VPS’. We only offer unmanaged services at the moment, so it is customers’ responsibility to ensure their systems are patched regularly and promptly. If you need assistance with dealing with this, or any other serious security issue, please do not hesitate to raise a support ticket and we will be glad to help.
Early in the morning yesterday (BST) we made sure all affected servers on our infrastructure had the released Openssl update applied, and any affected services were restarted to ensure the update had taken effect. This means it was no longer possible for anyone to directly exploit the vulnerability on our servers, as of mid morning Tuesday 9th April. Judging by the media reports we are seeing today of companies’ web sites being actively exploited, we have acted very swiftly on that front.
However, as you will be hearing again and again from many companies over the coming days and weeks, it is impossible for anyone to know whether this vulnerability has been actively exploited prior to the fix being applied. Therefore, we took to precautionary measure of generating a new private key, contacting our SSL certificate vendor, and having them re-issue a new certificate for all our https protected services. We also took the opportunity to upgrade from a SHA1 SSL certificate to a stronger SHA256 certificate. By yesterday evening, the new cert was deployed to all our web services, including the Client Billing/Account area, and VPS control panel. What this all means is, if by any chance someone was able to steal our private key via this vulnerability prior to us updating, they would not be able to use it to compromise us.
Despite our swift action, we’d like to ask our customers to reset both their billing account password and VPS Control Panel password at the earliest opportunity. Although we have no evidence of any malicious activity having taken place, it would be very wise for customers to do this purely as a precautionary measure.